Skip to content

Commit

Permalink
CRM-21022 - Parameterize variables in SQL query
Browse files Browse the repository at this point in the history 
civicrm#11002

Change-Id: I80709653a756f88c52c5350f67467876cbb69350
  • Loading branch information
@seancolsen @eileenmcnaughton
seancolsen authored and eileenmcnaughton committed Feb 1, 2018
1 parent 90525fc commit 7d8cc20
Showing 1 changed file with 14 additions and 9 deletions.
23 changes: 14 additions & 9 deletions CRM/Report/Page/InstanceList.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,8 +85,11 @@ class CRM_Report_Page_InstanceList extends CRM_Core_Page {
public function info() {

$report = '';
$queryParams = array();

if ($this->ovID) {
$report .= " AND v.id = {$this->ovID} ";
$report .= " AND v.id = %1 ";
$queryParams[1] = array($this->ovID, 'Integer');
}

if ($this->compID) {
Expand All @@ -95,7 +98,8 @@ public function info() {
$this->_compName = 'Contact';
}
else {
$report .= " AND v.component_id = {$this->compID} ";
$report .= " AND v.component_id = %2 ";
$queryParams[2] = array($this->compID, 'Integer');
$cmpName = CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Component', $this->compID,
'name', 'id'
);
Expand All @@ -106,10 +110,12 @@ public function info() {
}
}
elseif ($this->grouping) {
$report .= " AND v.grouping = '{$this->grouping}' ";
$report .= " AND v.grouping = %3 ";
$queryParams[3] = array($this->grouping, 'String');
}
elseif ($this->myReports) {
$report .= " AND inst.owner_id = " . CRM_Core_Session::getLoggedInContactID();
$report .= " AND inst.owner_id = %4 ";
$queryParams[4] = array(CRM_Core_Session::getLoggedInContactID(), 'Integer');
}

$sql = "
Expand All @@ -129,12 +135,11 @@ public function info() {
ON v.component_id = comp.id
WHERE v.is_active = 1 {$report}
AND inst.domain_id = %1
ORDER BY v.weight";
AND inst.domain_id = %9
ORDER BY v.weight ASC, inst.title ASC";
$queryParams[9] = array(CRM_Core_Config::domainID(), 'Integer');

$dao = CRM_Core_DAO::executeQuery($sql, array(
1 => array(CRM_Core_Config::domainID(), 'Integer'),
));
$dao = CRM_Core_DAO::executeQuery($sql, $queryParams);

$config = CRM_Core_Config::singleton();
$rows = array();
Expand Down

0 comments on commit 7d8cc20

Please sign in to comment.